[Samba] unable to log on to Samba shares remotely
Claesen Dirk
dirk.claesen at ipc.be
Tue Jun 26 09:04:28 MDT 2012
Some additional information, should this be helpful.
Our servers are all on subnet 192.168.5 and are running Solaris 10, Windows PCs are on 192.168.3.
I didn't use any kind of mapping when creating the accounts. All I used was "pdbedit -a" without any other parameter specified.
The global section of the smb.conf I included contains all lines that are entered. Security = USER is therefore what we use.
Kind regards,
Dirk Claesen
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Claesen Dirk
Sent: 26 June 2012 16:19
To: gaiseric.vandal at gmail.com; samba at lists.samba.org
Subject: Re: [Samba] unable to log on to Samba shares remotely
Thanks for the quick reply!
The server from which I tried to connect remotely is located within the same subnet. The Windows PC is in another subnet.
All users exist since years in the /etc/passwd file. The four users that were using the shares successfully in the past have UID 200, 230, 250 and 300. (user1 is one of these users)
The two users I need to add have UID 350 and 400. (user2 is one of these)
Each of these users is in a different Unix group.
User1 for which I included the output of pdbedit has UID 250, user2 has UID 350.
I cannot run wbinfo for these users as I'm not using winbind.
Pdbedit returns SIDs 1400, 1460, 1500 and 1600 for the "old" Samba users and 1004 and 1005 for the two users I tried to add.
I also ran the id command for the users but that gave the same UID as the ones I extracted directly from the passwd file.
Is there anything else I can check?
Kind regards,
Dirk Claesen
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Gaiseric Vandal
Sent: 26 June 2012 15:59
To: samba at lists.samba.org
Subject: Re: [Samba] unable to log on to Samba shares remotely
When you say "remotely" you mean from another computer. Or do you mean
from another subnet?
If you recreated both samba accounts, and the two accounts behave
differently, then the problem may be in the underlying unix account.
Are the unix accounts defined in /etc/passwd?
I also find it interesting that the two users do NOT have user SID's
that are sequential (or at least in a closer range.) Are you using
idmap to allocate
Can you run
# wbinfo -n user1
# wbinfo -n user2
This will show the user sids of the users
# wbinfo -s sid_of_user_one
# wbinfo -s sid_of_user_two
The name-to-sid and sid-to-name assignment should match up.
Also try the following
#id user1
# id "YOURDOMAIN\user1" (if you are using winbind)
#id user2
# id "YOURDOMAIN\user2"
On 06/26/12 08:25, Claesen Dirk wrote:
> Dear,
>
> I have a working Samba 3.5.6 running on one of my servers onto which (existing) users can successfully log on.
> Recently, I needed to add some projects and some users but I cannot succeed in letting these new users access the shares.
>
> The smb.conf file is very small and I had only 4 users until now.
> In the following smb.conf, projA_dirs is only accessed by user1, while projB_dirs is the new project I need to add and this one will be accessed by user2
> user1 is accessing projA_dirs since years without any problem, user2 is the one I fail to add.
>
> Contents of smb.conf:
>
> [global]
> workgroup = TECH_GRP
> server string = Samba %v on (%h)
> log level = 3
> log file = /usr/local/samba/var/log.%m
> max log size = 50
> dns proxy = No
> ldap ssl = no
> hosts allow = 192.168.5., 192.168.4., 192.168.3., 192.168.100.
>
> [all_dirs]
> comment = All directories on Server1
> path = /
> read only = No
>
> [projA_dirs]
> comment = All ProjectA directories on Server1
> path = /disk/projA/prod
> read only = No
>
> [projB_dirs]
> comment = All ProjectB directories on Server1
> path = /disk/projB/prod
> read only = No
>
>
> The initial samba setup was a migration from a Samba 2 server which used the smbpasswd file. In order to convert this into a tdbsam, I used the command "pdbedit -i smbpasswd -e tdbsam" at the time I set up the server. As written earlier in this mail, this never caused any problems.
>
> Now that I need user2 to access projB_dirs, I did the following:
> - Add projB_dirs to the smb.conf file
> - Ran "pdbedit -a user2" and provided the password
>
> After having added the share and the user I could access the new share with the new user when working directly on the Samba server (server1). However, when I try to connect from another Samba 3.5.6 server or from a Windows XP PC I get respectively a "session setup failed: NT_STATUS_LOGON_FAILURE" or "System error 1326 has occurred. Logon failure: unknown user name or bad password." error message. (there is no firewall blocking any ports between the servers or between the PC and server1)
>
>
> The output of pdbedit does not show any major differences for the two users to me:
>
> # ../bin/pdbedit -v -u user1
> Unix username: user1
> NT username:
> Account Flags: [UX ]
> User SID: S-1-5-21-1956562905-4024769754-4182693708-1500
> Primary Group SID: S-1-5-21-1956562905-4024769754-4182693708-513
> Full Name: user1 server1
> Home Directory: \\server1\user1
> HomeDir Drive:
> Logon Script:
> Profile Path: \\server1\user1\profile
> Domain: SERVER1
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Tue, 26 Jun 2012 13:38:36 CEST
> Password can change: Tue, 26 Jun 2012 13:38:36 CEST
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> # ../bin/pdbedit -v -u user2
> Unix username: user2
> NT username:
> Account Flags: [UX ]
> User SID: S-1-5-21-1956562905-4024769754-4182693708-1004
> Primary Group SID: S-1-5-21-1956562905-4024769754-4182693708-513
> Full Name: user2 server1
> Home Directory: \\server1\user2
> HomeDir Drive:
> Logon Script:
> Profile Path: \\server1\user2\profile
> Domain: SERVER1
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Tue, 19 Jun 2012 17:20:33 CEST
> Password can change: Tue, 19 Jun 2012 17:20:33 CEST
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.
>
>
> Logging in with debug level 10 using smbclient from the other server gives me:
>
> ...
> got smb length of 35
> size=35
> smb_com=0x73
> smb_rcls=109
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51203
> smb_tid=0
> smb_pid=12023
> smb_uid=100
> smb_mid=3
> smt_wct=0
> smb_bcc=0
>
>
> Because I only had issues with the new users I added, I checked what would happen if I would remove user1 using pdbedit -x and then recreate that user using pdbedit -a. From that moment on I was also no longer able to log on with user1 remotely.
> As I thought there might be a problem inside the database I shut down smbd and nmbd, removed passdb.tdb and secrets.tdb, and restarted the daemons. This resulted in the two tdb files to be recreated after which I added user1 and user2 again using pdbedit -a. Again, I could only access the shares using either of these users directly from server1 but not from any of the other servers.
>
> Then I shut down the daemons again, restored the initial tdb files and restarted the daemons. With the initial tdb files back in place, I can login again remotely using user1 but not with user2 (even after I added the account again). Repeating my test connecting locally to the share, I noticed I am not able to connect locally with user1 to projA_dirs while it is possible to do it from the other server. I can connect locally using user2.
> I didn't test the local connectivity with user1 before I started playing around with the tdb files so I cannot confirm whether or not this was possible before.
>
> I'm looking for any hints that might help me understanding this issue and getting it solved. Local connectivity to the shares is not required but I must be able to connect using the new users from the Windows XP PC.
>
>
> Kind regards,
>
> Dirk Claesen
>
>
>
>
> This e-mail and any attachments may contain confidential and
> privileged information. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, delete this
> e-mail and destroy any copies. Any dissemination or use of this
> information by a person other than the intended recipient is
> unauthorized and may be illegal.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
More information about the samba
mailing list